Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Week-2 Lab - Data Acquisition and Duplication

Part1: Working with FTK Imager and Forensic Imaging

Pre-Lab Reading

Learning Objectives

  • Apply appropriate forensic tools and techniques in a realistic investigative scenario.
  • Use FTK Imager to create, mount, and verify forensic images.

Employability Focus

  • Demonstrate evidence handling and acquisition skills aligned with industry practice.
  • Produce valid forensic images that can withstand legal scrutiny.

About FTK Imager

FTK® Imager is a data preview and imaging tool that allows investigators to create and examine forensic images without modifying the original evidence. It produces bit-for-bit copies of digital media, preserving all data - including file slack, unallocated space, and deleted items.

When used correctly (with a hardware write-blocker, read more), FTK Imager enables safe acquisition for later analysis in tools such as FTK, Autopsy, or X-Ways.

Logins

  • Login to you Forensic Workstation using student or .\cyberstaff

Activity 1 - Creating a Forensic Image

In this activity, you will create a forensic image using FTK Imager. You can complete this task using one of two routes, depending on whether you have access to a USB drive. - Route 1: Imaging a physical USB device - Route 2: Imaging the contents of a folder (no USB required)

Apart from the source of evidence selection (Step-5), the steps are the same

  1. Collect a USB drive.

  2. Log in to your Cyber Lab workstation.

  3. Launch AccessData FTK Imager (Run as Administrator).

  4. Go to File - Create Disk Image.

  5. Select Source of Evidence:

    1. For Rounte-1 --> Choose Physical Drive - click Next.
    2. For Rounte-2 --> Choose Content of a Folder - click Next.

  6. Select the correct suspect drive - click Finish.

    Ensure you select the correct device - double-check the drive size and label.

  7. Click Add... to define the image destination.

  8. Select E01 (EnCase image format) - click Next.

    • Question: What is an E01 file format and why is it commonly used?

  9. Enter case information (Name, Examiner, Evidence Number) - click Next.

  10. Verify destination path and filename: E_01_Physical_Image_YourName

  • Set Fragment Size = 0 (single file).
  • Click Finish.
  1. In Create Image, enable:
    • Verify images after they are created
    • Create directory listings of all files in the image
    • Click Start to begin acquisition.
  2. Observe progress and note any errors or warnings.
  3. When imaging completes, review the summary window showing:
    • MD5 and SHA-1 hashes
    • File count, image size, and sector information
  4. Confirm both hashes match for each algorithm - if they do, integrity is preserved.
  5. Save the text log report generated by FTK Imager.
  6. Safely remove the USB source and return it to your lecturer.
  7. Backup your image to your personal USB or OneDrive - you’ll use it again later.

Reflection: Why is it important to verify hashes immediately after imaging?

Activity 2 - Adding Evidence to FTK Imager

For this task you can using the evidence you just created or you can download Thumbdrive.E01 from Moodle (Week 2).

  1. Open FTK Imager - File - Add Evidence Item - Image File.
  2. Select the your file from Activity one or Thumbdrive.E01 file - click Finish.
  3. Expand the evidence tree (click + beside the image).
  4. Navigate to the Family Pix directory.
    • Change to View - Thumbnails to preview pictures.
  5. Select MySister.jpg - right-click - Properties.
    • Record:
    • File size: __________
    • Created date/time: __________

Mini-Task: Why might timestamps differ between the file’s metadata and the system clock?

Activity 3 - Mounting an Image as a Local Drive

  1. Remove all evidence items (File - Remove All Evidence Items).

  2. Go to File - Image Mounting.

  3. Select your Thumbdrive.E01 or your own created image.

  4. Choose:

    • Mount Type: Read-Only
    • Drive Letter: (select available)
    • Mount Method: Read-Only Recommended

  5. Click Mount.

  6. Open File Explorer - This PC - verify the new mounted drive.

  7. To unmount: File - Image Mounting - select drive letter - Unmount.

Reflection: What are the advantages of mounting an image rather than opening it within FTK Imager?

Further reading:

Forensics 101 - Acquiring an Image with FTK Imager (SANS)

Best,

Ali.

Copyright © 2026 • Created by Ali Jaddoa

Page last updated: Tuesday 27 January 2026 @ 10:30:47 | Commit: 53f9309